Reliable PCI wifi cards, and layer 7 filtering

Jeremy Chadwick freebsd at jdc.parodius.com
Thu Feb 10 16:09:34 UTC 2011 

(I was considering cross-posting this to freebsd-pf but decided against
it, instead starting here first.  Please keep me CC'd as I'm not
subscribed to freebsd-net)

I'm looking into the possibility of using my home FreeBSD box as my home
firewall/NAT box, to replace my Linksys E2000 router (which runs Linux,
specifically the TomatoUSB firmware).

I plan on using pf for the NAT and firewall layer.  ipfw will not be
used (I have long since moved away from it).  I've got solutions for
everything except two items:

1) Wireless hardware support
   - What consumer PCI cards are known to be reliable and have good
     support on FreeBSD?  It looks like anything that relies on ath(4)
     might be a good choice, but I'm not sure what specific chipset is
     considered decent/worthwhile, or if there's a specific model of
     card from Vendor X(tm) which works great.
   - The card and driver need to support both 802.11b and 802.11g
     simultaneously.  802.11n (for the future) would also be good.
   - Driver or OS needs 128-bit WEP -- this is not a joke, I really do
     have devices which do not do WPA or WPA2.
   - MAC address filtering is needed too, but it looks like that's
     already available (looking at ifconfig(8) man page).

2) Layer 7 filtering
   - Specifically, the ability to block outbound packets in real-time
     which contain certain data in the TCP data portion of the packet.
   - More details: there are some HTTP-based requests which some
     software I use on XP submits to a server pool to return some ads.
     Filtering by IP address isn't possible since the A records of
     the FQDN often change.  The software in question does not honour
     system proxy settings, so use of a proxy (Apache, squid, etc.)
     as a solution will not work.
   - I filter based on GET parameters or the HTTP: Host header.  Thus,
     the matching mechanism doesn't need regex; simple substring matches
     (e.g. strcasestr()) would work fine.
   - Linux has kernel modules called ipt_web and xt_web which can do
     exactly this.  They return TCP RST to the client which submit the
     packet, and never forwarding the original packet out the WAN.

Item #2 above seems to be the kicker.  Is there anything in the works
regarding such a capability?  I'd be more than happy to test out code or
whatever.

-- 
| Jeremy Chadwick                                   jdc at parodius.com |
| Parodius Networking                       http://www.parodius.com/ |
| UNIX Systems Administrator                  Mountain View, CA, USA |
| Making life hard for others since 1977.               PGP 4BD6C0CB |

More information about the freebsd-net mailing list